LDAP-Konfiguration funktioniert nicht

[grenzreiter]

Code: Select all

# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '...';
$Self->{'AuthModule::LDAP::BaseDN'} = '...';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountname';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = '';
$Self->{'AuthModule::LDAP::AccessAttr'} = '';
# for ldap posixGroups objectclass (just uid)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = '...';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '...';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '...';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = '...';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountname';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = '...';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '...';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
   'UserEmail' => 'mail',
   'UserFirstname' => 'givenName',
   'UserLastname' => 'sn',
   'UserLogin' => 'sAMAccountName'
};

 $Self->{CustomerUser} = {
    Name => 'Uni Augsburg',
    Module => 'Kernel::System::CustomerUser::LDAP',
	Params => {
    Host => '...',
    BaseDN => '...', 
    SSCOPE => 'sub',
    UserDN => '...',
    UserPw => '...',
	#AlwaysFilter =>  '(&(objectclass=user)(mail=*.*@Firma.de))',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
	CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [
    [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    ],
    };

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];
###############################################################################################################

----------------------------

(SERVER und PASSWORT sind richtig eingetragen.)
Wo mache ich den Fehler? Immer wenn ich den Apache neustarten möchte, schmiert mir alles ab.

Gruß

[jojo]

Fehlermeldung?

Ist das Perl Paket Net::LDAP installiert

[grenzreiter]

Habe mal noch eine andere Config ausprobiert

Code: Select all

# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '...';
$Self->{'AuthModule::LDAP::BaseDN'} = '...';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountname';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = '';
$Self->{'AuthModule::LDAP::AccessAttr'} = '';
# for ldap posixGroups objectclass (just uid)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = '...';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '...';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '...';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = '...';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountname';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = '...';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '...';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
   'UserEmail' => 'mail',
   'UserFirstname' => 'givenName',
   'UserLastname' => 'sn',
   'UserLogin' => 'sAMAccountName'
};

 $Self->{CustomerUser} = {
    Name => 'Uni Augsburg',
    Module => 'Kernel::System::CustomerUser::LDAP',
	Params => {
    Host => '...',
    BaseDN => '...', 
    SSCOPE => 'sub',
    UserDN => '...',
    UserPw => '...',
	#AlwaysFilter =>  '(&(objectclass=user)(mail=*.*@Firma.de))',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
	CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [
    [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    ],
    };

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];
###############################################################################################################

Es funktioniert trotzdem nicht. Log:

Code: Select all

Wed Dec 5 11:27:08 2012 	error 	OTRS-CGI-10 	No UserID found for 'birnerth'!
Wed Dec 5 11:27:08 2012 	notice 	OTRS-CGI-10 	User: birnerth authentication failed, no LDAP entry found!BaseDN='cn=zv-otrs-benutzer, ou=_groups, ou=zv, ou=idmorg, dc=uni-augsburg, dc=de', Filter='(sAMAccountName=birnerth)', (REMOTE_ADDR: 137.250.18.197).
Wed Dec 5 11:27:08 2012 	error 	OTRS-CGI-10 	Need CustomerUser->Params->Host in Kernel/Config.pm
Wed Dec 5 11:27:01 2012 	error 	OTRS-CGI-10 	Need CustomerUser->Params->Host in Kernel/Config.pm

Immer wenn wir uns testweise versuchen einzuloggen, kommt die obige Fehlermeldung.

Net::LDAP ist installiert.

Gruß

P.S.: Host inzwischen ergänzt, jedoch meint er immer noch, es sei kein LDAP Eintrag vorhanden.

[catweazle]

trage mal für deinen Such-Benutzer den kompletten Pfaf , DN ein

und... kuck dir nochmal an was du ALLES mitgepostet hast ...

[grenzreiter]

So, habe nochmal alles neu geschrieben. Auth funktioniert, nur habe ich folgendes Problem: Die Agenten müssen ja trotz allem in der Datenbank eingetragen sein. Also dachte ich mir, ist ja kein Problem, trag einfach den Agenten ohne Passwort ein, dann syncht er hoffentlich das Passwort mit. Fehlanzeige. Ich muss ein Passwort vergeben. Gibt es eine Möglichkeit einen Nutzer ohne Passwort anzulegen, und dann bei der Anmeldung nur das Passwort in die OTRS DB zu übertragen?

Code: Select all

# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '...';
$Self->{'AuthModule::LDAP::BaseDN'} = '...';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountname';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = '';
$Self->{'AuthModule::LDAP::AccessAttr'} = '';
# for ldap posixGroups objectclass (just uid)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = '...';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '...';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '...';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = '...';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountname';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = '...';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '...';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
   'UserEmail' => 'mail',
   'UserFirstname' => 'givenName',
   'UserLastname' => 'sn',
   'UserLogin' => 'sAMAccountName'
};

 $Self->{CustomerUser} = {
    Name => 'Uni Augsburg',
    Module => 'Kernel::System::CustomerUser::LDAP',
	Params => {
    Host => '...',
    BaseDN => '...', 
    SSCOPE => 'sub',
    UserDN => '...',
    UserPw => '...',
	#AlwaysFilter =>  '(&(objectclass=user)(mail=*.*@Firma.de))',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
	CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [
    [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    ],
    };

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];
###############################################################################################################

Überall wo '...' steht ist natürlich der richtige Wert eingetragen...

Für Hilfe bin ich dankbar.

Gruß

[jojo]

Das anlegen der User erfolgt automatisch über das AuthSyncModule, d.h. da muss noch irgendwo der Wurm drin sein